Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932125AbdGCNkF (ORCPT ); Mon, 3 Jul 2017 09:40:05 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:35238 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932071AbdGCNjx (ORCPT ); Mon, 3 Jul 2017 09:39:53 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Steffen Klassert Subject: [PATCH 4.4 085/101] xfrm: NULL dereference on allocation failure Date: Mon, 3 Jul 2017 15:35:25 +0200 Message-Id: <20170703133348.646726328@linuxfoundation.org> X-Mailer: git-send-email 2.13.2 In-Reply-To: <20170703133334.237346187@linuxfoundation.org> References: <20170703133334.237346187@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1047 Lines: 34 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dan Carpenter commit e747f64336fc15e1c823344942923195b800aa1e upstream. The default error code in pfkey_msg2xfrm_state() is -ENOBUFS. We added a new call to security_xfrm_state_alloc() which sets "err" to zero so there several places where we can return ERR_PTR(0) if kmalloc() fails. The caller is expecting error pointers so it leads to a NULL dereference. Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") Signed-off-by: Dan Carpenter Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman --- net/key/af_key.c | 1 + 1 file changed, 1 insertion(+) --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -1135,6 +1135,7 @@ static struct xfrm_state * pfkey_msg2xfr goto out; } + err = -ENOBUFS; key = ext_hdrs[SADB_EXT_KEY_AUTH - 1]; if (sa->sadb_sa_auth) { int keysize = 0;